Help with Asus Firewall

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Vernon

New Around Here
Asus RT-AX88U with Merlin 386.2_6.

I appreciate any help. I've configured routers before, but I find the Asus firmware to be pretty awful.

Firewall > General Tab

01. I assume the firewall at the top of the page under "General" is the IPV4 firewall.

02. What is the difference between the options under "logged packets type"; dropped or accepted?

03. I assume that the Inbound Firewall rules at the bottom apply to both IPV4 and IPV6?

04. Does anyone know a reasonable set of inbound firewall rules that I can just use?

Firewall > Network Services Filter

01. I assume that to have the network services filter always on you just check Mon-Fri and leave the Time of Day at 00:00 - 23:59?

02. In the Network Services Filter table at the bottom:
02.01. Does Source IP let you specify a specific machine on your lan? Is destination IP a specific machine that a computer on your lan could connect to?

03. I assume that the first Port Range column refers to a port range on your local machine and the second Port Range column is a port on the destination IP?

So if you wanted to prevent a specific machine on your lan from telnet-ing to a specific IP address on the internet you would configure it like this:

Source IP | Port Range | Destination IP | Port Range | Protocol |
192.168.1.5 | 23 | 172.214.4.174 | 23 | TCP |

Which means that your local 1.5 machine WOULD be able to use telnet to reach some other machine on the internet?

And if you left the Source IP/Port Range and Destination IP/Port Range columns blank:

Source IP | Port Range | Destination IP | Port Range | Protocol |
| 23 | | 23 | TCP |

Then no machines on your lan could use port 23 to reach any machine on the internet?
 

ColinTaylor

Part of the Furniture
1. Yes.
2. It is what it says. Create syslog (System Log - General Log) entries for dropped or accepted incoming connections.
3. No, just IPv6.
4. The defaults are fine. By default the firewall drops all unsolicited incoming traffic.

1. Yes. And of course set Enable Network Services Filter to yes.
2. Yes.
3. Yes.

So if you wanted to prevent a specific machine on your lan from telnet-ing to a specific IP address on the internet you would configure it like this:
Code:
Source IP   | Port Range | Destination IP | Port Range | Protocol |
192.168.1.5 | 23         | 172.214.4.174  | 23         | TCP      |
Not quite. The source port for a telnet connection is ephemeral so you would leave that field blank.
Which means that your local 1.5 machine WOULD be able to use telnet to reach some other machine on the internet?
Yes.

And if you left the Source IP/Port Range and Destination IP/Port Range columns blank:
Code:
Source IP | Port Range | Destination IP | Port Range | Protocol |
          | 23         |                | 23         | TCP      |
Then no machines on your lan could use port 23 to reach any machine on the internet?

Not quite. It would be this if you want to stop all machines connecting to any remote telnet server:
Code:
Source IP | Port Range | Destination IP | Port Range | Protocol |
          |            |                | 23         | TCP      |
 
Last edited:

Vernon

New Around Here
Thank you, Colin! Do you know of an existing list of ports to block in the Network Services Filter tab?
 

ColinTaylor

Part of the Furniture
Thank you, Colin! Do you know of an existing list of ports to block in the Network Services Filter tab?
I don't understand what you're trying to achieve. Can you explain a bit more.
 

Vernon

New Around Here
I want to block outgoing ports at the router level, for example, ssh, ftp, telnet, 3389, etc. I've blocked about 20 or so right now, but it would be a lot easier if someone had already compiled a list. Michael Horowitz at routersecurity.org mentions many ports he feels should be blocked, but they are scattered across his fairly large site. I'd be particularly interested in blocking "phone home" ports used by apps or even the router itself.

As an example, Asus firmware has a bunch interesting services you can enable such as AIMesh, AIProtection, etc. In the past, if you enabled any of these services, data from your router would be sent to Trend Micro.


In 2017, I don't think there was any way to prevent Asus from sending your router traffic data to Trend Micro. There was a bit of an outcry I believe and the fix that Asus still has today is that, if you enable any of their free services, your traffic data is still sent to Trend Micro, but there's a "Withdraw" button on the Administration > Privacy tab.

So the question is, if I use any of these cool services, and I click on the Withdraw button. How can I make sure my router traffic data isn't being sent to Trend Micro, and how can I make it more difficult for applications on my lan machines to pull the same stunt.

That being said, it's probably easier to set the Firewall > Network Services Filter tab > Filter Table Type control to "Whitelist", in which case it would be easier if someone had already compiled a list of outgoing ports that you shouldn't block.

And that is basically what I'm trying to accomplish.

Thank you!

-Vern
 

ColinTaylor

Part of the Furniture
It's important to note that the Network Services Filter only applies to LAN to WAN traffic (as stated on its page). So it doesn't effect any services running on the router itself.

Regarding blacklisting ports, I think that's a fairly hopeless task. You can look at a list of official and some unofficial ports like this: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers But I doubt it could ever be complete.

I was also going to suggest whitelisting if you want to be really restrictive. Either way is fairly pointless IMHO. If there's something specific that you're trying to block (e.g. porn or a online games) that's another matter. But trying to block everything I think is probably the wrong approach.


Regarding that blog post from 2017, it has been discussed many times and was debunked at the time.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top